Tofinosecurity.com uses cookies for analytics and functionality purposes.
To change your cookie settings or find out more, click here.
If you continue browsing our website or close this banner, you accept these cookies.

Search form

menu-bar

Home>Blog>Securing SCADA systems from APTs like Flame and Stuxnet – Part 1

Securing SCADA systems from APTs like Flame and Stuxnet – Part 1

Submitted by Eric Byres on Tue, 2012-06-12 21:00

Recently a very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.

Now while Flame was busy attacking the Middle East, I was in Abu Dhabi at the International Cyber Security Forum for Energy and Utilities, listening to a talk by Paul Dorey called "Advanced Persistent Threats - A Real Problem with Real Solutions" (you can download his presentation at the end of this article). Paul’s talk focused on security for the IT industry, but there were important lessons on managing attacks in the ICS / SCADA world. I will focus on one of those lessons in today’s blog.

What’s an APT? Is it just Marketing Hype?

First, a little background. Advanced Persistent Threats (APTs) are carefully crafted attacks against a focused target that are designed to be effective over an extended period of time. Ricard Bejtlich in his TaoSecurity Blog says it well:

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data).

Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Now some people claim that APTs are just marketing hype, but Paul offered some chilling case studies showing that APTs are very real threats. Flame is also good example of an APT, but so are Stuxnet, Nitro, Night Dragon and Duqu. These are all attacks I have discussed in previous papers and blogs. Trying to wish away APTs as hype is a clear case of sticking one’s head in the sand.

Paul went on to discuss the seven advanced approaches that the best companies are using to deal with APTs. Figure 1 shows a summary of all seven, and in today’s blog I will cover the first one.

Lesson #1: Focus on the Crown Jewels

Advanced Approach #1 is to focus your protection efforts on your most important assets. It would be ideal to protect everything perfectly and do it all the time. Unfortunately modern systems, whether they are IT systems or control systems, have become too complex to achieve perfect and uniform security.

So the smart IT teams are focusing their scarce security resources on securing those assets that really matter to the survival of the company. They do not rely solely on a perimeter firewall to keep all the bad stuff out of the company (a technique known as a Bastion Model). Instead, they install additional layered defenses directly protecting key assets such as servers containing sensitive financial or intellectual property information.

There are good reasons for using this approach. The obvious one is that it allows a defense in depth strategy, rather than a bastion strategy. It also allows the company to focus additional money, effort and diligence on a few core assets. For example, it is a lot easier to carefully review the audit logs for two servers every day, rather than two hundred servers. Tasks that are highly focused are more likely to be carried out by over worked security staff.

The third reason is that these assets are the same ones the bad guys will focus on. Sure hackers and worms will go after any undefended computer, but in most cases these victims are just a stepping stone to the real target. Focusing your defensive efforts on the same things that your adversary is focusing on makes good security sense.

Focused Defense in the ICS and SCADA World

The strategy of focusing your defences also works for ICS and SCADA security. Every control system has a few assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in a electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is massively reduced.

The first SCADA security lesson from the IT world is to focus on protecting the crown jewels. An example would be protecting safety integrated systems, like the Tricon safety integrated system shown on the right. Images courtesy of Royal Exhibitions and Invensys.

Consider Stuxnet. Symantec reports that the worm infected over 100,000 computers, 60% of these in Iran. But its ultimate target had to be the PLCs and drive controllers running the enrichment centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not get to the PLCs, it would have failed in its mission. Had Iran’s defence focused on protecting those PLCs, their enrichment process likely would never had been impacted. Clearly, they focused more on a bastion security model which ultimately failed them, allowing Stuxnet to impact at least 1000 centrifuges.

A Balanced Approach

Don’t get me wrong, neither Paul nor myself are advocating to give up on defending less critical assets or the network in general. This makes no more sense than a knight giving up the field and hiding in his castle.

What is needed (and is missing) is a balanced approach to system security. As an industry, we focus on trying to defend the entire field and forget about the castle containing the royal family. As long as the battle remains in the open, we think we are doing well. But when Ninja assassins (with names like Nitro, Duqu and Flame) start to sneak in, defending every laptop and desktop won’t seem all that important once the grid is down or the plant is leaking toxic chemicals.

So install those firewalls and Intrusion Detection Systems between IT and ICS networks. Build yourself what NERC-CIP calls an Electronic Security Perimeter (ESP). There is nothing wrong with that as part of a security strategy. Just remember to balance it with a focused defense, protecting what really matters to your process or company. Forget to focus and we will win the battle, but lose the war.

Do you agree with the “protecting the crown jewels” approach? Let me know your thoughts.

I don't think so. Just because you focus your defences on an asset doesn't mean that your adversary will see your efforts. Here are two examples:

1. Log Reviews: Where your security team spends its log review efforts is not exposed to the bad guys. They may be able to determine what is being logged (although this is hard to do), but not where the team does its reviews.

2. Firewalls: You may have a firewall defending a critical asset, but that doesn't mean that the bad guy can detect it or what is behind it. For example, Tofino was specifically designed to be invisible - no IP address, no changes to routing, nothing. To the bad guy a part of the network just isn't there.

So I think that a focused defence has a lot of benefits and minimal risk.

This apploach just follows Pareto principle or 80/20 rule. All business people know that you should concentrate 80% of your effort on your 20 most valuable clients (affairs). And this is a proven success strategy.